Protecting a Linux notebook. Encryption, authentication via flash drive or smartphone and recovery of stolen laptops.

Protecting a Linux notebook. Encryption, authentication via flash drive or smartphone and recovery of stolen laptops.

The world has moved and became mobile. But where there is mobile technology, there is also the risk of losing it, forgetting or being stolen. How not to lose the data, to protect it from prying eyes and to find the stolen equipment? Let’s try to figure it out.

Physical access

Let’s start, as usual, with the basics, namely the login password. It would seem that everything here is simple: any graphic environment has a built-in screen blocker that requires a password to be entered after a few minutes of machine downtime. But what if you do not use a graphical environment and your choice is a lightweight window manager like Fluxbox or i3?

There are many different screen blockers, but I would recommend slocking. It is an extremely simple blocker without any graphic controls, input windows and session switches. All it does is flood the screen with black. When you enter a password, the screen turns blue and when you press Enter, if the password is wrong, it turns red. When they see this, most “crackers” will go into a stupor and decide that the computer just hung up.

You can either start slock directly (then the screen will be locked immediately) or automatically after you wake up your notebook. In the second case you will need the following systemd-units:

Description=Lock X session using slock for user %i

ExecStartPre=/usr/bin/xset dpms force suspend


Save it to /etc/systemd/system/[email protected].service and activate units (USER is your name on the system):

$ sudo systemctl enable slock@USER.service.

Another extremely simple but therefore no less valuable recommendation is to set a BIOS password and disable booting from any media except the hard drive. This will save you from those who will try to boot from a flash drive to read your drive from another operating system.

Many laptops also allow you to set a password for booting, rebooting and accessing the hard drive. The latter works at the level of an ATA controller, it will save if someone can still boot up their operating system, but will be useless against physically removing the hard disk.

Disk Encryption

Almost all popular distributions allow to encrypt the hard disk at the stage of operating system installation. Such encryption makes it almost impossible to extract data from the disk (with a sufficiently long password), but has one significant disadvantage: a drop in I/O performance, which can reach hundreds and thousands of percent.

You can minimize performance degradation by encrypting only the /home partition (where your data resides) and leaving the system itself unencrypted. In fact, many distributions offer this option by default, but it’s not ideal either: the laptop will eat up extra resources just by watching a movie saved on disk, and if you’re a software developer or just often collect software from source, prepare for a significant slowdown.

But there is also a way out of this situation. Systems EncFS and CryFS use the FUSE mechanism to create an encrypted virtual FS on top of the main one. With their help, you can encrypt any single directory without having to allocate a special container of a predefined size and with the ability to synchronize the directory with Dropbox and other similar services.

Both file systems use AES-256 algorithm in GCM mode, but differ in implementation. EncFS encrypts each file individually and therefore hides only the contents of files and their names, but in no way prevents obtaining information about the structure of directories and file size. In other words: if someone needs to prove that you are storing a child porn archive downloaded from a darknet, they can do so.

CryFS protects against such risks. The directory encrypted with it looks like a flat file tree with a bunch of directories and files of the same size. However, CryFS has never been independently audited for EncFS. If it stops you – use EncFS, but if you don’t believe either of them, you can arm yourself with VeraCrypt or another “classic” encryption tool that uses a predefined size container that cannot be placed in a Dropbox without synchronizing all encrypted data with the slightest change.

Using EncFS and CryFS is extremely easy. It is enough to install the package and then perform the mount operation:

$ cryfs ~/Dropbox/box ~/crypto

In this case we connect the encrypted directory ~/Dropbox/box as ~/crypto. All files recorded in the last one will appear in the first one in encrypted form.

All valuable data can be added to this directory: passport scans, GPG keys, crypto wallets work folders, password databases and so on. It will have to be connected manually after each download, and after use it is better to turn it off immediately:

$ fusermount -u ~/crypto


CryFS encrypted directory contents


Authentication without password

So, the disk is protected, the password is set, but is it convenient? It’s not difficult to enter a password at boot up, which in modern notebooks is not so frequent, to enter a password to decrypt data at boot up too, but it’s not very interesting to enter it every time you unlock the screen. Moreover, the password can be viewed by your neighbors on an airplane. You need a different method, or even better, a combination of methods.

Flash drive

I think everyone has heard about a thing called YubiKey. This is a USB dongle that acts as a second factor when authenticating to sites and the system. It costs $50, but you can actually use a regular flash drive instead.

The pam_usb allows you to configure authentication using any USB stick. The principle here is as follows: the utility writes 2 Kbytes of random data to the flash drive, which acts as a unique key. During authentication pam_usb will read a block of data from the flash drive, compare it with the data stored on the combo and let you into the system if it matches.

To make all this work, you have to follow these steps. Install pam_usb:

$ git clone
$ cd pam_usb
$ make
$ sudo make install

In Arch Linux pam_usb is available in the AUR:

$ yaourt -S pam_usb

Add those same random data to your flash drive (here AuthKey – random name):

$ sudo pamusb-conf --add-device AuthKey

Specify a user who will authenticate using a flash drive:

$ sudo pamusb-conf --add-user username

Check that everything is set up as it should be:

$ sudo pamusb-check username

Finally, add pam_usb to the list of PAM modules. To do this, open the file /etc/pam.d/common-auth (or /etc/pam.d/system-auth in Arch Linux and Fedora) and add this line to the beginning of the file:

auth sufficient

In this case the flash drive will be enough for authentication. If you want to get two-factor authentication, when both flash drive and password are required, change the line to this one:

auth required

Keep in mind that the author of pam_usb does not position his development as something that can be trusted to protect the state secrets and even more so the family recipe of onion soup. You can remove the dump from the flash drive, write it to another flash drive and use it for authentication.


Customize pam_usb



Instead of a flash drive (or in addition to it) can take a smartphone. I am sure that at least once in your life you have used the Google Authenticator application. It implements the TOTP algorithm (Time-based One-Time Password, RFC 6238) that allows you to authenticate in one application using a one-time password generated by another application.

Google allows adapting Authenticator for authentication in its services. However in reality it isn’t tied to Google in any way and doesn’t use its servers (the key required for generation of one-time passwords is transferred directly by means of a QR code, after which the application acts independently), which allows us to use it for authentication in the system without fear of password leaks.

To do this it is necessary to install the PAM module pam-google-authenticator:

$ ./
$ ./configure
$ make
$ sudo make install

In Arch Linux the installation is done in this way:

$ yaourt -S google-authenticator-libpam-git

Then run the application google-authenticator:

$ google-authenticator

It will generate a QR code (or show a link to it), which should be scanned by means of the Google Authenticator application on your smartphone and also will ask you some questions. Answer negatively to all the questions, except the fourth one (increase in the time difference between the client and the server).

Then, as with the flash drive, we add the following line to /etc/pam.d/common-auth:

auth required no_increment_hotp

One-time passwords can be easily combined with the need to insert a flash drive in different variations. To do this, simply set the second option to the desired value.


QR code pam-google-authenticator



With passwords, one-time codes and encryption, we can only protect information on the laptop. To protect the laptop itself, we need a different means, namely a tracking system similar to the Find my iPhone feature. That is a system that would allow us to remotely contact the notebook, determine its coordinates, take a screenshot and take a picture with a front camera.

One of the best solutions in this area is called Prey. It is available for Windows, macOS and Linux based phones and computers. We are interested in the latter, so go to download page, download the deb package and install it:

$ sudo dpkg -i prey_1.7.3_amd64.deb

Arch Linux Prey is in the AUR:

$ yaourt -S prey-node-client

Just keep in mind that it will be installed on the system as prey_project.

When the installation is complete, start the configurator:

$ sudo prey config account setup

He will ask you for your email address, ask you to enter your password, and this concludes the installation. To check that everything works, go to Web Control Panel and enjoy the ability to track your device in real time.

The free Prey version allows you to find out the location of the device, OS and hardware information, turn on the alarm, lock the device, take pictures with the camera or take screenshots. To be able to delete data and download files, you have to pay five dollars a month.

Also keep in mind that unlike smartphones, which are always connected to the mobile network by default and thus are always available online, the laptop is more often offline and usually connects to open Wi-Fi-networks only after user permission. In other words, the chances to find the laptop are much less than the chances to find the phone.


Laptop information in the Prey

control panel.

Sleep-exit photo

One more method to fight against unwelcome guests is to take pictures of them. Let’s say you left your laptop in your room, a stranger comes in, wakes the laptop from sleep and tries to login (more precisely, tries to understand what’s going on, because we use slock). It’s time to take a picture of it.

First let’s write a script which will take a picture with the laptop’s camera. It will be extremely simple:

ffmpeg -y -t 1 -f video4linux2 -s 640x480 -r 30 -i /dev/video0 -f image2 $HOME/webcam.png 

Name it take_photo, put it in the ~/bin directory and give the execution rights:

$ chmod +x ~/bin/take_photo

Now we need to write a script that will run our script after the company wakes up. Here it is:

if [ $1 = post ] && [ $2 = suspend ]; then
    sudo -u YOUR_IN_SYSTEM /home/YOUR_IN_SYSTEM/bin/take_photo

Name it 00take_photo, put it in the /lib/systemd/system-sleep/ directory and give the same execution rights:

$ chmod +x /lib/systemd/system-sleep/00take_photo

Now every time you wake up, your laptop will take a photo and save it to ~/webcam.png. But we can go even further and send the photo to ourselves in telegrams. For this we set telegram-cli. The easiest way to do this is with Arch Linux:

$ yaourt -S telegram-cli-git

Run the utility with the command telegram-cli, it will ask for the phone number (phone number:) in the format +71234567890, and then the security code from the SMS and password, if it is used.

Then we will correct our script a bit ~/bin/take_photo:

ffmpeg -y -t 1 -f video4linux2 -s 640x480 -r 30 -i /dev/video0 -f image2 $HOME/webcam-`date`.png 
sleep 60
telegram-cli -W -D -e "send_photo @YOUR_IMEA_B_TELEGRAM $HOME/webcam.png `date`".

Now he will not only take a photo, but also send it to our telegrams. The sleep 60 command needs a minute delay before it is sent, so the notebook can connect to Wi-Fi.



Protecting a laptop is not as easy as smartphones that use full disk encryption with TEE acceleration, fingerprint protection and have the ability to track across all types of networks. But by applying the tricks described in this article, you can at least say that you have done your best.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: